First published: Wed Aug 02 2023(Updated: )
In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control of the sproxyd service) could perform a server-side request-forgery attack and make Cacheservice connect to unexpected resources. We have disabled the ability to follow HTTP redirects when connecting to sproxyd resources. No publicly available exploits are known.
Credit: security@open-xchange.com security@open-xchange.com
Affected Software | Affected Version | How to fix |
---|---|---|
<8.11 | ||
Open-xchange Open-xchange Appsuite Office | <8.11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-26442.
CVE-2023-26442 has a severity rating of low (3.2).
The affected software for CVE-2023-26442 is Open-xchange Open-xchange Appsuite Office version up to exclusive 8.11.
The CWE ID of CVE-2023-26442 is CWE-918.
CVE-2023-26442 can be exploited by an attacker with access to a local or restricted network who can intercept and replay HTTP requests to the sproxyd service.